You should put in the NAT list only ETH01.
Have you configured the default gateway of Zeroshell? you should set it from the section [Router]->[Default Gateway] to the IP of the LAN School’s router.
From the section [Utilities]->[IP Check] try the ping and traceroute of the default gateway and of an external host.

Bad news is I am still leaking dhcp ips to 10.xxx.xxx.xx lan. Also, even though I have captive portal enabled, when I open a browser it takes me to the redirected web page – by passing the portal login.

Why did you create a dhcp subnet for the network 10.x.x.x?
You should remove it.
The captive portal works only if your clients contact the tcp port 80 (http) and 443 (https). In that case the browser will be redirect on the authentication page. If you use a proxy you don’t use those tcp ports and the captive portal is not able to redirect your clients.
This is not true if your organization use a transparent proxy, because in this case you don’t need to configure the web browser to use different http and https ports.

Thank you so much for your help! I removed the dhcp segment 10.xxxx. I don’t know how to change the win proxy transparent mode. Our windows network was setup by some university guys paid by the Feds under a grant. They left and now we teachers have to support it.

So, I will research how to create transparent proxy in windows.

Fulvio, words escape me on how to tell you how much I appreciate your help.